Windows Event to SNMP Trap translator

1

Have you ever had an issue working with the WinEvent passive monitor? You are not alone. Since the WinEvent passive monitors are using WMI to get their information, there can be a lot of outside variables to take into account. Are you using the proper credentials? Are your forward and reverse DNS entries correct? Is WMI properly allowed through the firewall on both ends? In a sense, depsite being called a passive monitor the WinEvent listener in WhatsUp Gold is not “passive”.

The way it works is it registers for events. i.e. you want to collect all Event ID 1234. You create a WinEvent passive monitor, you apply it to a device. Then WhatsUp Gold tells the device “If you receive Event ID 1234, tell me and give me the output”.  However WhatsUp Gold is checking to ensure the connection for this registration is there every 60 seconds by default regardless of whether or not the connection has been broken. Since the WinEvent listener is dependent upon this connection existing it is possible to miss up to 60 seconds of events whenever the connection is broken. For example, a reboot of the device or a restart of the WhatsUp Gold services.

To me this model never made sense and still does not. However there is a great alternative and that is easy to use. It is called the ‘Event to Trap translator’. Yes, this is built into Windows. You do not need to download or install anything. Every Windows system has this out of the box. Using the Event to Trap translator is pretty simple and is more reliable than depending on the WMI connection. In addition the trap will always be sent, even when the server first boots. This is a true passive monitor because WhatsUp Gold will literally be just listening for the that SNMP trap to come in.

I am going to go into more detail at some point, but for now you’ll have to deal with this:

winevnt1

Start > Run > evntwin

 

winevnt2

Select ‘Custom’ and then click ‘Edit>>’

 

winevnt3

Find the Event IDs you want to know about, select them (ctrl+left-click works to do multiple as well) and click ‘Add’

 

winevnt4

Click ‘Apply’ then ‘OK’

 

From here, restart SNMP and you are all set. When those events come in, the system will send a SNMP trap to whatever is configured in the ‘Traps’ tab of the SNMP service on that server.  Now you configure WUG to listen for those events…

winevnt13

Example configuration for SNMP Trap Passive Monitor

winevnt14

Example 2

 

And apply it to the device. Note: In this example, I am listening for that event ID and matching a certain description. These examples are looking for logon/logoff security events. Here is a list of logon types. Its important to consider formatting of the event description when adding a ‘match on’. Logon Type: 10 must be formatted with many spaces…copy and paste works best, for reference: Logon Type:                                       10

You can also export the event lists and save as a file. Then you can use that file to apply the configuration to other systems using ‘evntcmd’. This operation can be scripted to run against many systems.

winevnt10

Select the events in the top section under ‘Events to be translated to traps:’, click Export, and save the config file.

 

winevnt11

Use evntcmd -s hostname C:\events.cnf (or wherever you saved your file) to setup this configuration elsewhere. It will also restart SNMP unless you specify the -n parameter

 

 

Post your comment